Can you be phished in Slack?
December 4, 2022
Is Slack a trusted platform for communication?
The short answer is yes. The longer answer is that you should always be skeptical of messages, and especially requests, that you get on any communication platform - Slack, Teams, email, LinkedIn, social media, etc.
Phishing is a form of social engineering attack that attempts to use human psychology to trick victims into taking some action. The most common phishing attack is via email where attackers try to trick users into clicking a link and providing sensitive information like usernames and passwords. This is crazy common. It is the most common successful type of cyberattack. The tools to scale these attacks and lists of emails are cheap on the dark web, meaning attackers do not need to be technically savvy to launch large scale phishing attacks.
While email is the most common attack vector for phishing attacks, it is not the only vector. Anywhere that users can receive messages are potential attack vectors. Slack, as a communication platform, is a potential vector for phishing attacks.
There are a couple avenues for phishing attacks in Slack. Last year, a lot of attention was given to Slack phishing attacks that leveraged Slack webhooks. While these do represent a real threat to Slack users, they are uncommon and often spotted since they do not come directly from users but from apps acting like users and leveraging webhooks.
A more stealthy, albeit more complex, form of Slack phishing attack is an attack launched via a compromised Slack account. User accounts are compromised all the time. As a high percentage of users reuse passwords, attackers can use those breached passwords to gain access to other accounts, including Slack accounts.
Here’s a simple example of a Slack phishing workflow:
For this post, we are going to assume the Slack phishing attack is an attack that leverages a real, but compromised, Slack account and not a Slack webhook. The messages that are being sent to users in Slack look real. They are from a real account. They are Slack messages.
The same rules apply to Slack messages asking for sensitive information as email messages (the most common form of phishing attack).
Schedule a demo
Get started with a free trial by scheduling a demo today. One of our training experts will walk you through a live Haekka demo.